Compliance with ISO 27001 and GDPR

1. So if we have GDPR requirements as regulatory requirement, does our ISMS have to be also fully compliant with GDPR?

Answer: If the information you want the ISMS to protect includes information under GDPR your ISMS has to be compliant with GDPR Article 32 (information security requirements in GDPR). For example, if the information included in your ISMS scope does not include personal data from EU citizens your ISMS does not need to be compliant with GDPR.

This article can provide your further information about ISMS requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2. How does it reflect in the audit?

Answer: If GDPR is a require ment for your ISMS, during certification and surveillance audits the auditor will check if controls deemed necessary to ensure compliance with GDPR Article 32 are implemented and working properly.

3. Can we exclude the GDPR from the requirements list. How to manage this?

Answer: As mentioned in answer 1, if the information you want the ISMS to protect does not include personal data from EU citizens, you can exclude the GDPR from the ISMS requirements list.

4. What if an auditor sees that we conform to the ISO 27001 requirements but not to the GDPR? I mean that the GDPR involves more requirements than ISO 27001 so it extends the ISO 27001 scope, I suppose it shouldn't be like that.

Answer: If the GDPR is a requirement for the ISMS and you are not fully compliant with Article 32, then the certification auditor cannot proceed with the recommendation for certification until you are fully compliant with the article's requirements.

To see how documents of ISO 27001 compliant with GDPR look like see the free demo of this EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

These materials will provide you further explanation about the relation between ISO 27001 and GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

Could you please provide an example of ISMS scope when requirements of GDPR are not obligatory? I can hardly imagine this when talking about ISMS for the whole company as far as any data of employee is considered as personal.
So do I understand correct that these could only be some exclusive cases when ISMS does not include employees? Is it someway possible?

Thank You.

Answer: If you are an organization operating inside EU, and your scope is the whole organization, then indeed you will not be able to exclude GDPR (as you said, at least the personal data from your employees will have to be protected considering Article 32).

As for an example where you can exclude GDPR of your ISMS list of requirements, even if you operate inside EU, I can mention a scope limited to Research and Development process/department, provided that it does not use EU citizens personal data on test databases.